diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml
index c04718c33f0..a08988eacdd 100644
--- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml
+++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml
@@ -19,44 +19,44 @@ query: |
| where TimeGenerated > ago(24h)
| where EventMessage has "Data Loss Prevention"
| extend DlpAction = case(
- Action == "-1", "Not available",
- Action == "0", "Blocked",
- Action == "1", "Deleted",
- Action == "2", "Delivered",
- Action == "3", "Logged",
- Action == "4", "Passed",
- Action == "5", "Quarantined",
- Action == "6", "Replaced",
- Action == "7", "Archived",
- Action == "8", "Archived (message body only)",
- Action == "9", "Quarantined (message body only)",
- Action == "10", "Passed (message body only)",
- Action == "11", "Encrypted",
- Action == "12", "Alerted (endpoint)",
- Action == "13", "Alerted (server)",
- Action == "14", "Data recorded",
- Action == "15", "User justified",
- Action == "16", "Handed off",
- Action == "17", "Recipient altered",
- Action == "18", "Blind carbon copied",
- Action == "19", "Delivery postponed",
- Action == "20", "Stamped",
- Action == "21", "Attachment deleted",
- Action == "22", "Subject tagged",
- Action == "23", "X-header tagged",
- Action == "24", "Decrypted",
- Action == "25", "Re-encrypted",
- Action == "26", "Tagged (mail)",
- Action == "27", "Encrypted (user key)",
- Action == "28", "Encrypted (group key)",
- Action == "29", "Moved",
- Action == "30", "Passed (encrypted)",
- Action == "31", "Passed (user justified)",
- Action == "32", "Blocked (Endpoint Encryption not installed)",
- Action == "33", "Blocked (user justified)",
- Action == "34", "Blocked (Endpoint Encryption logged off)",
- Action == "35", "Blocked (Endpoint Encryption error)",
- Action == "36", "web upload",
+ DvcAction == "-1", "Not available",
+ DvcAction == "0", "Blocked",
+ DvcAction == "1", "Deleted",
+ DvcAction == "2", "Delivered",
+ DvcAction == "3", "Logged",
+ DvcAction == "4", "Passed",
+ DvcAction == "5", "Quarantined",
+ DvcAction == "6", "Replaced",
+ DvcAction == "7", "Archived",
+ DvcAction == "8", "Archived (message body only)",
+ DvcAction == "9", "Quarantined (message body only)",
+ DvcAction == "10", "Passed (message body only)",
+ DvcAction == "11", "Encrypted",
+ DvcAction == "12", "Alerted (endpoint)",
+ DvcAction == "13", "Alerted (server)",
+ DvcAction == "14", "Data recorded",
+ DvcAction == "15", "User justified",
+ DvcAction == "16", "Handed off",
+ DvcAction == "17", "Recipient altered",
+ DvcAction == "18", "Blind carbon copied",
+ DvcAction == "19", "Delivery postponed",
+ DvcAction == "20", "Stamped",
+ DvcAction == "21", "Attachment deleted",
+ DvcAction == "22", "Subject tagged",
+ DvcAction == "23", "X-header tagged",
+ DvcAction == "24", "Decrypted",
+ DvcAction == "25", "Re-encrypted",
+ DvcAction == "26", "Tagged (mail)",
+ DvcAction == "27", "Encrypted (user key)",
+ DvcAction == "28", "Encrypted (group key)",
+ DvcAction == "29", "Moved",
+ DvcAction == "30", "Passed (encrypted)",
+ DvcAction == "31", "Passed (user justified)",
+ DvcAction == "32", "Blocked (Endpoint Encryption not installed)",
+ DvcAction == "33", "Blocked (user justified)",
+ DvcAction == "34", "Blocked (Endpoint Encryption logged off)",
+ DvcAction == "35", "Blocked (Endpoint Encryption error)",
+ DvcAction == "36", "web upload",
"unknown")
| summarize ActionCount = count() by DlpAction, SrcIpAddr, FileName
| sort by ActionCount desc
diff --git a/Solutions/Trend Micro Apex One/Package/3.0.1.zip b/Solutions/Trend Micro Apex One/Package/3.0.1.zip
new file mode 100644
index 00000000000..31e4da80277
Binary files /dev/null and b/Solutions/Trend Micro Apex One/Package/3.0.1.zip differ
diff --git a/Solutions/Trend Micro Apex One/Package/createUiDefinition.json b/Solutions/Trend Micro Apex One/Package/createUiDefinition.json
index 136e9fc8314..9c9c3efbfcf 100644
--- a/Solutions/Trend Micro Apex One/Package/createUiDefinition.json
+++ b/Solutions/Trend Micro Apex One/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Apex%20One/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Apex%20One/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/appendices/syslog-mapping-cef.aspx) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://docs.trendmicro.com/enterprise/trend-micro-apex-central-2019-online-help/preface_001.aspx) for more information. \n\r\n1. **Trend Micro Apex One via AMA** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Trend Micro Apex One via Legacy Agent** - This data connector helps in ingesting Trend Micro Apex One logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Trend Micro Apex One via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,15 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The Trend Micro Apex One connector allows you to easily connect your Trend Micro Apex One events logs with Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Trend Micro Apex One. You can get Trend Micro Apex One CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
-
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the TMApexOneEvent Kusto Function alias."
+ "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
@@ -96,7 +95,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The workbook installed with the Trend Micro Apex One help’s you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
@@ -302,7 +301,7 @@
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
+ "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
@@ -324,7 +323,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
@@ -338,7 +337,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
@@ -352,7 +351,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
@@ -366,7 +365,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
@@ -380,7 +379,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows channel type. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Shows channel type. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
@@ -394,7 +393,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
@@ -408,7 +407,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
@@ -422,7 +421,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
@@ -436,7 +435,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
@@ -450,7 +449,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne data connector (TMApexOneEvent Parser or Table)"
+ "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma data connector (TMApexOneEvent TMApexOneEvent Parser or Table)"
}
}
]
diff --git a/Solutions/Trend Micro Apex One/Package/mainTemplate.json b/Solutions/Trend Micro Apex One/Package/mainTemplate.json
index d1557a5c99a..bd1aa7f5547 100644
--- a/Solutions/Trend Micro Apex One/Package/mainTemplate.json
+++ b/Solutions/Trend Micro Apex One/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Trend Micro Apex One",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-trendmicroapexone",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "TrendMicroApexOne",
@@ -210,7 +210,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Trend Micro Apex One data connector with template version 3.0.0",
+ "description": "Trend Micro Apex One data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -557,7 +557,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Trend Micro Apex One data connector with template version 3.0.0",
+ "description": "Trend Micro Apex One data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -651,12 +651,10 @@
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
},
{
"title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
"description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**."
-
},
{
"title": "Step C. Validate connection",
@@ -841,12 +839,10 @@
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
},
{
"title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
"description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**."
-
},
{
"title": "Step C. Validate connection",
@@ -886,7 +882,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneEvent Data Parser with template version 3.0.0",
+ "description": "TMApexOneEvent Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@@ -1018,7 +1014,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TrendMicroApexOneWorkbook Workbook with template version 3.0.0",
+ "description": "TrendMicroApexOneWorkbook Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -1106,7 +1102,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@@ -1134,16 +1130,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -1225,7 +1221,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@@ -1253,16 +1249,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -1344,7 +1340,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion3')]",
@@ -1372,16 +1368,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -1455,7 +1451,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion4')]",
@@ -1483,16 +1479,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -1565,7 +1561,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion5')]",
@@ -1593,16 +1589,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -1684,7 +1680,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion6')]",
@@ -1712,16 +1708,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -1794,7 +1790,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion7')]",
@@ -1822,16 +1818,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -1914,7 +1910,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion8')]",
@@ -1942,16 +1938,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -2033,7 +2029,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion9')]",
@@ -2061,16 +2057,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -2152,7 +2148,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion10')]",
@@ -2180,16 +2176,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "TrendMicroApexOne",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOne"
+ ]
},
{
+ "connectorId": "TrendMicroApexOneAma",
"dataTypes": [
"TMApexOneEvent"
- ],
- "connectorId": "TrendMicroApexOneAma"
+ ]
}
],
"tactics": [
@@ -2271,7 +2267,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion1')]",
@@ -2356,7 +2352,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion2')]",
@@ -2441,7 +2437,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion3')]",
@@ -2526,7 +2522,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion4')]",
@@ -2611,7 +2607,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion5')]",
@@ -2696,7 +2692,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion6')]",
@@ -2712,7 +2708,7 @@
"eTag": "*",
"displayName": "ApexOne - Data loss prevention action by IP",
"category": "Hunting Queries",
- "query": "TMApexOneEvent\n| where TimeGenerated > ago(24h)\n| where EventMessage has \"Data Loss Prevention\"\n| extend DlpAction = case(\nAction == \"-1\", \"Not available\",\nAction == \"0\", \"Blocked\", \nAction == \"1\", \"Deleted\",\nAction == \"2\", \"Delivered\",\nAction == \"3\", \"Logged\", \nAction == \"4\", \"Passed\",\nAction == \"5\", \"Quarantined\",\nAction == \"6\", \"Replaced\", \nAction == \"7\", \"Archived\",\nAction == \"8\", \"Archived (message body only)\",\nAction == \"9\", \"Quarantined (message body only)\", \nAction == \"10\", \"Passed (message body only)\",\nAction == \"11\", \"Encrypted\",\nAction == \"12\", \"Alerted (endpoint)\",\nAction == \"13\", \"Alerted (server)\", \nAction == \"14\", \"Data recorded\",\nAction == \"15\", \"User justified\",\nAction == \"16\", \"Handed off\",\nAction == \"17\", \"Recipient altered\", \nAction == \"18\", \"Blind carbon copied\",\nAction == \"19\", \"Delivery postponed\",\nAction == \"20\", \"Stamped\",\nAction == \"21\", \"Attachment deleted\",\nAction == \"22\", \"Subject tagged\",\nAction == \"23\", \"X-header tagged\",\nAction == \"24\", \"Decrypted\",\nAction == \"25\", \"Re-encrypted\",\nAction == \"26\", \"Tagged (mail)\",\nAction == \"27\", \"Encrypted (user key)\",\nAction == \"28\", \"Encrypted (group key)\",\nAction == \"29\", \"Moved\",\nAction == \"30\", \"Passed (encrypted)\",\nAction == \"31\", \"Passed (user justified)\",\nAction == \"32\", \"Blocked (Endpoint Encryption not installed)\",\nAction == \"33\", \"Blocked (user justified)\",\nAction == \"34\", \"Blocked (Endpoint Encryption logged off)\",\nAction == \"35\", \"Blocked (Endpoint Encryption error)\",\nAction == \"36\", \"web upload\",\n\"unknown\")\n| summarize ActionCount = count() by DlpAction, SrcIpAddr, FileName\n| sort by ActionCount desc \n| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = FileName\n",
+ "query": "TMApexOneEvent\n| where TimeGenerated > ago(24h)\n| where EventMessage has \"Data Loss Prevention\"\n| extend DlpAction = case(\nDvcAction == \"-1\", \"Not available\",\nDvcAction == \"0\", \"Blocked\", \nDvcAction == \"1\", \"Deleted\",\nDvcAction == \"2\", \"Delivered\",\nDvcAction == \"3\", \"Logged\", \nDvcAction == \"4\", \"Passed\",\nDvcAction == \"5\", \"Quarantined\",\nDvcAction == \"6\", \"Replaced\", \nDvcAction == \"7\", \"Archived\",\nDvcAction == \"8\", \"Archived (message body only)\",\nDvcAction == \"9\", \"Quarantined (message body only)\", \nDvcAction == \"10\", \"Passed (message body only)\",\nDvcAction == \"11\", \"Encrypted\",\nDvcAction == \"12\", \"Alerted (endpoint)\",\nDvcAction == \"13\", \"Alerted (server)\", \nDvcAction == \"14\", \"Data recorded\",\nDvcAction == \"15\", \"User justified\",\nDvcAction == \"16\", \"Handed off\",\nDvcAction == \"17\", \"Recipient altered\", \nDvcAction == \"18\", \"Blind carbon copied\",\nDvcAction == \"19\", \"Delivery postponed\",\nDvcAction == \"20\", \"Stamped\",\nDvcAction == \"21\", \"Attachment deleted\",\nDvcAction == \"22\", \"Subject tagged\",\nDvcAction == \"23\", \"X-header tagged\",\nDvcAction == \"24\", \"Decrypted\",\nDvcAction == \"25\", \"Re-encrypted\",\nDvcAction == \"26\", \"Tagged (mail)\",\nDvcAction == \"27\", \"Encrypted (user key)\",\nDvcAction == \"28\", \"Encrypted (group key)\",\nDvcAction == \"29\", \"Moved\",\nDvcAction == \"30\", \"Passed (encrypted)\",\nDvcAction == \"31\", \"Passed (user justified)\",\nDvcAction == \"32\", \"Blocked (Endpoint Encryption not installed)\",\nDvcAction == \"33\", \"Blocked (user justified)\",\nDvcAction == \"34\", \"Blocked (Endpoint Encryption logged off)\",\nDvcAction == \"35\", \"Blocked (Endpoint Encryption error)\",\nDvcAction == \"36\", \"web upload\",\n\"unknown\")\n| summarize ActionCount = count() by DlpAction, SrcIpAddr, FileName\n| sort by ActionCount desc \n| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = FileName\n",
"version": 2,
"tags": [
{
@@ -2781,7 +2777,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion7')]",
@@ -2866,7 +2862,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion8')]",
@@ -2951,7 +2947,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion9')]",
@@ -3036,7 +3032,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryVersion10')]",
@@ -3117,7 +3113,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Trend Micro Apex One",
diff --git a/Solutions/Trend Micro Apex One/ReleaseNotes.md b/Solutions/Trend Micro Apex One/ReleaseNotes.md
index 19df1aa026c..f73e5012a1d 100644
--- a/Solutions/Trend Micro Apex One/ReleaseNotes.md
+++ b/Solutions/Trend Micro Apex One/ReleaseNotes.md
@@ -1,5 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data Connector** | |
-
-
+| 3.0.1 | 25-10-2023 | **Hunting Query** column corrected |
+| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data connector** | |